zoukankan      html  css  js  c++  java
  • Nginx+Tomcat*利用certbot实现https

    一、利用Let's Encrypt 免费生成HTTPS证书

    1、下载安装certbot(Let's Encrypt )

    2、利用certbot生成证书

    3、配置nginx的https证书

    安装cerbot

    [root@hz1 ~]# wget https://dl.eff.org/certbot-auto
    
    [root@hz1 ~]# chmod a+x certbot-auto
    
    [root@hz1 ~]#./certbot-auto 

    利用certbot生成证书

    [root@hz1 certbot]# ./certbot-auto certonly --email  zhai.junming@timecash.cn --agree-tos --webroot -w  /alidata1/www/timecash22/api3  -d  xxxx.zjm.cn/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
    
      DeprecationWarning
    
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    Obtaining a new certificate
    
    Performing the following challenges:
    
    http-01 challenge for xxx.zjm.cn
    
    Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains.
    
    Waiting for verification...
    
    Cleaning up challenges
    
     
    
    IMPORTANT NOTES:
    
     - Congratulations! Your certificate and chain have been saved at
    
       /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your
    
       cert will expire on 2017-09-06. To obtain a new or tweaked version
    
       of this certificate in the future, simply run certbot-auto again.
    
       To non-interactively renew *all* of your certificates, run
    
       "certbot-auto renew"
    
     - If you like Certbot, please consider supporting our work by:
    
     
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    
       Donating to EFF:                    https://eff.org/donate-le
    
    
    -w:指定域名的根目录
    
    -d:指定域名
    
    Note:证书已经生成到了/etc/letsencrypy/live/xxx.zjm.cn下

    Nginx配置https证书

    #http访问
    
            server {   
    
            listen       80;
    
            server_name  www.xxx.cn;
    
            return     301  https://$server_name$request_uri;
    
        }
    
    #https访问   
    
       server {
    
            listen 443 ssl;
    
            server_name www.xxx.cn;
    
            ssl_certificate /etc/letsencrypt/live/www.xxx.cn/fullchain.pem;
    
           ssl_certificate_key/etc/letsencrypt/live/www.xxx.cn/privkey.pem;
    
         ssl_trusted_certificate/etc/letsencrypt/live/www.xxx.cn/chain.pem;
    
         ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    
     
    
              location  / {
    
                            proxy_pass http://www.xxx.cn/;
    
                          }
    
               }
    
    ssl_certificate和ssl_certificate_key分别对应fullchain.pem,privkey.pem
    
    ssl_dhparam通过以下命令生成
    
    $ mkdir /etc/nginx/ssl
    
    $ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

    自动更新https证书

    由于这个免费的证书只有90天的使用时间,所以遇到定时更新以下证书,这里是利用certbot每隔一段时间自动更新证书

    手动执行更新

    ./certbot-auto  renew --dry-run

    结合crontab每隔一段时间自动更新证书

    30 2 * * 1 ./certbot-auto  renew  >> /var/log/le-renew.log

    PS:

            1、生成证书的时候切记-w参数后边的站点目录要写对,不然会报错

       2、只需配nginx支持https就好,tomcat不用配置

             3、前端代码和后端接口必须支持https

  • 相关阅读:
    Python os模块
    Python 常用模块
    CentOS7中配置基于Nginx+Supervisor+Gunicorn的Flask项目
    CentOS下安装Python3.4
    修改windows文件的换行符
    dubbo源码阅读-ProxyFactory(十一)之JdkProxyFactory
    dubbo源码阅读-Filter默认实现(十一)之DeprecatedFilter
    dubbo源码阅读-Filter默认实现(十一)之TimeoutFilter
    dubbo源码阅读-Filter默认实现(十一)之ExceptionFilter
    dubbo源码阅读-Filter默认实现(十一)之ContextFilter&ConsumerContextFilter
  • 原文地址:https://www.cnblogs.com/lidong94/p/7156839.html
Copyright © 2011-2022 走看看